Elgg 1.7.4 and ldap_auth

Hey Folks,

I am really close to release our Elgg environment to my team at work.  I am having a hard time gettings ldap authentication to work.  I've tried the ldap_auth plugin from the plugin download site as well as the SVN version (trunk).

I've verified my settings as well as using an LDAP brownser to make sure all my settings are correct.  The problem is, when a user who is in Active Directory tries to log in, it just returns back to the login screen.  If I try to sign in as user NOT in AD, an error shows up saying "no account exists" or something along those lines.

If I look in my http error_log, I see this:

[Fri Oct 29 12:55:22 2010] [error] [client 10.7.11.78] PHP WARNING: 2010-10-29 12:55:22 (EDT): "ldap_search() [<a href='function.ldap-search'>function.ldap-search</a>]: Search: No such object" in file /var/www/vhosts/xxx.xxx.xxx.xxx/httpdocs/mod/ldap_auth/start.php (line 258), referer: http://xxx.xxx.xxx.xxx/

[Fri Oct 29 12:55:22 2010] [error] [client 10.7.11.78] Unable to perform LDAP search: No such object, referer: http://xxx.xxx.xxx.xxx/

[Fri Oct 29 12:55:22 2010] [error] [client 10.7.11.78] Options FollowSymLinks or SymLinksIfOwnerMatch is off which implies that RewriteRule directive is forbidden: /var/www/vhosts/xxx.xxx.xxx.xxx/httpdocs/, referer: http://xxx.xxx.xxx.xxx/

I've looked at the code, here is line 258:
$sr = @ldap_search($ds, $basedn, $filter_attr ."=". $username, array_values($search_attr));
$ds appears to be assign correctly since it seems to make the LDAP connection to AD. If I could figure out which object isn't being set, I bet I'm golden.
Any ideas?

Thanks!
  • We're using the svn ldap_auth plugin with some additional error checking added in. The current one is a little light in that area. I'd guess basedn problem.

    I'll see what I can do about committing some of our additions back to the svn repository.

  • Thanks, Cash.

    I realized over the weekend I might have left out some important info:

     

    PHP 5.3.3 (cli) (built: Jul 22 2010 17:12:45)
    The PHP Group Zend Engine v2.3.0, Copyright (c) 1998-2010 Zend Technologies

  • I finished the integration of our error checking into the original plugin. It is the 1.7 branch of the svn repository: plugins/branches/1.7/ldap_auth

    The labels on the fields can be confusing - at least they were to me. If you are doing an anonymous bind, leave the "LDAP bind DN" blank. We're not doing anonymous and so had to enter the bind account username. Initially, I misunderstood that and was was putting our base DN there.

  • Hi guys,

    Iam trying to add ldap_auth to elgg 1.7.4.

    Is this supposed to work?

    settings are saved without issuing error (should it show thru error if settings wrong?)

    when i try to login, it doesnt work as expected.

    I dont use TLS, i do use ldap v3.

    Also, assuming that this is configured right, can we use this hostname for ldap to be localhost if elgg server and ldap server are one and the same?

     

  • This is the log output I get:

    "ldap_bind(): Unable to bind to server: Invalid credentials" in file /-------/mod/ldap_auth/start.php (line 199), referer: https://secure-----/

    LDAP: Unable to bind to the LDAP server with provided credentials: Invalid credentials, referer: https://secure------/

    LDAP error: unable to connect to the LDAP server, referer: https://secure------/

     

    I have couple of web portals using the same LDAPs. So I am pretty sure the settings are Ok if it is used as given in example.

    Btw, I did notice that if the hostname is changed to something that doesnt exist, it doesn't get anywhere. So definitely something is happening!. Please Help me

  • Also, i am using the latest from svn. Why doesnt the latest version doesnt have TLS enable/ disable settings? Is it hard coded to enabled? may be that is it?

  • and 

    PHP 5.2.5 with Suhosin-Patch 0.9.6.2 (cli) (built: Apr 23 2008 23:35:28) 

    Copyright (c) 1997-2007 The PHP Group

    Zend Engine v2.2.0, Copyright (c) 1998-2007 Zend Technologies

        with eAccelerator v0.9.6, Copyright (c) 2004-2010 eAccelerator, by eAccelerator

  • @nA looks like you have the wrong bind information for your ldap setup

  • Hi Cash, thanks for the quick reply. 

    This how I made sure that I use the correct settings:

    1. used the same hostname/ ip address, port(389) and base DN in Jexplorer

    2. used the security user DN in Jexplorer as the LDAP bind DN. same password for sure!

    3. No spaces or quotes used (just as used in Jexplorer). Both elgg and jexplorer from the same PC

    4. Able to connect and get details using Jexplorer without issues.

    Probably becos:

    1. Am using httpSwould this be an issue? shouldn't be, but just bringing out all possible obstacles

    2. No TLS used in mine, could this be an issue?

    3. The order in which this plugin shud be placed?

    4. Any prerequisites missing?

    5. any port extra needed by elgg for this authentication, blocked by firewall? definitely ldap service/port is allowed (as Jexplorer from the same PC works fine!)

    Any other log to check for/ to pickup any other hints?

    Thanks, nAni

  • also, which version of ldap_auth shud i use? the one which is in the svn(abt 2wks old) or the one that is released in the elgg community?